[pkg-ntp-maintainers] Exploitable NTP server used for an attack
Bob Proulx
bob at proulx.com
Fri Feb 21 19:45:37 UTC 2014
Hello NTP Maintainers, Please CC me on replies.
Is it possible to turn on monlist remotely?
I was just notified by that one of the machines I help administer was
used in an NTP DDoS attack. Inspection shows that the system was
vulnerable. It was a stock Squeeze system fully up to date running
the package delivered ntp.conf file. The ntp package version and
ntp.conf were identical to other systems. And yet it was reporting
responds when querying it remotely just the same. How is that possible?
After coming up empty on why I decided to do nothing other than to
restart the ntpd. (All of .177, .182, and .188 are the same host.)
Before:
rwp at dismay:~$ ntpdc -n -c monlist ns2
remote address port local address count m ver rstr avgint lstint
===============================================================================
132.163.4.103 123 66.54.153.177 41040 4 4 0 949 382
66.54.153.1 123 66.54.153.188 41173 4 4 1d0 946 468
66.135.44.92 123 66.54.153.177 40996 4 4 0 950 715
66.54.153.28 123 66.54.153.188 41173 4 4 1d0 946 820
162.210.249.218 41150 66.54.153.182 1 3 4 0 440987 440987
50.116.62.188 52583 66.54.153.177 1 3 4 0 690801 690801
58.215.177.51 45969 66.54.153.182 4 3 4 0 653639 2407879
Restart:
ns2:~# service ntp restart
Stopping NTP server: ntpd.
Starting NTP server: ntpd.
After:
rwp at dismay:~$ ntpdc -n -c monlist ns2
ns2: timed out, nothing received
***Request timed out
The configuration contains:
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery
restrict 127.0.0.1
restrict ::1
The rest of the file is the same as if the package were purged and
then installed again fresh with the exception of the addition of two
local server lines for local timeservices. I did not modify the
ntp.conf file but only restarted the ntp service. After restart it is
no longer reporting monlist? Any ideas on how that is possible?
And so I wonder if it is possible to turn on monlist remotely?
Unfortunately by restarting the ntpd I have lost the test case that
was producing the problem. Fortunately however it appears to no
longer be vulerable to participating in a DDoS. Unless there is a way
to enable this feature remotely? I fear this may be one of those
reproducible results that never makes sense.
Thanks,
Bob
More information about the pkg-ntp-maintainers
mailing list